LoginLogin About

Support » Knowledge Base » General questions » Tips for scripts owners »

Access rights to files and directories in UNIX-like operating systems

For proper functioning of PHP scripts and the data security to be ensured, it is often required that correct permissions are assigned files and directories using the chmod command, an FTP client, or a web-based file manager of a web hosting control panel. What is the right way to determine the correct and sufficient access right values to achieve the optimal results?

Owner and group

In UNIX-like operating systems (Linux, FreeBSD, etc.) file systems store information on the owner and group name of each file and directory.

Owner — the name of the operating system user the file or directory "belongs" to.
Group — the name of the user group, whose members are allowed to access the file or directory.

Note that each file or directory can have a different name of the owner or group. For instance, if FTP connection and web server are run under different users on the hosting server (e.g., ftp-user and Apache), then files uploaded over FTP would be owned by ftp-user, and those created by means of a PHP script (e.g. extracted from the distribution archive during installation of WebAsyst) would be owned by the Apache user.

Permissions

Each file and directory on a UNIX-powered server is assigned a 3-digit value, which determines what kind of access is allowed to its owner, its group members, and all other users of the server operating system:

  • the first digit denotes access rights of the owner;
  • the second digit denotes access rights of the group members;
  • the third digit denotes access rights of all other users.

Each of the three digits is a sum of a number of fixed permission values listed below:

1 (also denoted by the letter x) — execute access. It makes the file executable (a program), and in case of a directory allows to modify its contents (e.g. create, delete, or rename files and subdirectories inside it).
2 (also denoted by the letter w) — write access. Allows to modify the contents of a file, or perform the renaming operation in case of a directory.
4 (also denoted by the letter r) — read access. Allows to read the contents of a file, or read the names of files and subdirectories located inside a directory.

Example

750 = (1+2+4)(1+4)()

In this case the owner is allowed to execute, rewrite, and read (1, 2, and 4), group members are allowed only to execute and read (1 and 4), and the rest of the users are not allowed to access this particular file or directory.

Access to WebAsyst files and directories

Each file and directory in WebAsyst is used for different purposes, therefore all of them need to be assigned different permissions. Some of them may only be accessible for reading, while others may be rewritable by PHP scripts and via a FTP connection. The list of files and directories and general information on permissions for them is provided in the WebAsyst installation guide in section "Protecting WebAsyst after installation".

Several sample cases with solutions

  1. What permissions should be assigned to a file to make it editable over FTP?

    This depends on the name of the file owner and its group, as well as which user is a member of the group. Let us examine the following example.

    Given:
    Users ftp-user and Apache, and the users group exist on the server, where ftp-user is a member of the users group.
    File owner is Apache, file group name is users.
    The file must be available for editing by means of both PHP scripts (which are run under the Apache user), and an FTP client (ftp-user). With that, any other access to the file must be prohibited.

    Solution:
    Owner's access rights: since the owner is the user which executes PHP scripts (Apache in this example), it must be assigned read (4) and write (2) access — to execute PHP code and rewrite the file (e.g. during an update). Thus, the first digit will be 2+4=6.
    Group's access rights: FTP connection is established under the ftp-user user, which is a member of the users group, hence, that group members must be granted read and write access rights, i.e. 2+4=6.
    Other user's access rights: as we have already assigned all necessary access rights, nothing else needs to be assigned, therefore we leave the zero value here.

    The final permission value made up of the three digits is equal to 660, which can be used to execute the chmod command:

    chmod 660 index.php
  2. What permissions should be assigned to a directory so that I can edit files inside it over FTP?

    Given:
    Directory owner is Apache, group name is users.

    Solution:
    Owner's access rights: let us assume that the owner (in this case Apache which runs the web server executing PHP scripts) requires full access to the directory for normal operation, hence, 1+2+4=7.
    Group's access rights: FTP connection is established under the ftp-user user, which is a member of the users group, so all group members must be granted read and execute access rights to the directory (as its contents will be changed), i.e. 1+4=5.
    Other user's access rights: we have already assigned all necessary access rights, nothing else needs to be assigned, therefore we leave the zero value here.

    The final permission value made up of the three digits is equal to 750, which can be used to execute the chmod command:

    chmod 750 published
Tip: every time the owner or group name is changed, or a user is removed from or added to a group, it may become necessary to change the permissions for one or several files or directories according to the guidelines provided in this article.
Note: the names of users and groups, as well as information on their membership in groups in the above examples may differ from your real server configuration. Please contact your system administrator for details on that.

Virtual web hosting

Some web hosting companies restrict usage of arbitrary permissions by offering a limited list of allowed values, which can be assigned to files and directories. Attempts to use permissions beyond that list may result in occurrence of server errors 500 or 403. Please make yourself familiar with the corresponding requirements of the web-hosting company before changing permissions for files or directories. If you would not like to be limited by the restrictions of a web-hosting server, consider using a virtual dedicated or your own server to install WebAsyst scripts.